Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 9 May 2014 09:13:30 +0200
From: Marcus Meissner <>
To: OSS Security List <>
Subject: Linux kernel floppy ioctl kernel code execution


As this was posted to linux-distros, and was supposed to be made public
earlier this week, but so far wasn't published on oss-sec ...

Reported by Matthew Daley to

There apparently exists a proof of concept root exploit, that allows
local users with access to a floppy device to execute code in the linux

(I think this needs a floppy driver to actually allow access to a floppy
 device. My machine only says "floppy0: no floppy controllers found" today.)

Linux Kernel Mainline commits:

Author: Matthew Daley <>
Date:   Mon Apr 28 19:05:21 2014 +1200

    floppy: don't write kernel-only members to FDRAWCMD ioctl output

    Do not leak kernel-only floppy_raw_cmd structure members to userspace.
    This includes the linked-list pointer and the pointer to the allocated
    DMA space.

    Signed-off-by: Matthew Daley <>
    References: CVE-2014-1738
    Signed-off-by: Linus Torvalds <>

commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
Author: Matthew Daley <>
Date:   Mon Apr 28 19:05:20 2014 +1200

    floppy: ignore kernel-only members in FDRAWCMD ioctl input

    Always clear out these floppy_raw_cmd struct members after copying the
    entire structure from userspace so that the in-kernel version is always
    valid and never left in an interdeterminate state.

    Signed-off-by: Matthew Daley <>
    References: CVE-2014-1737
    Signed-off-by: Linus Torvalds <>

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ